aws_iam_instance_profile: Restrict example perms

In this example, principal "AWS": "*" tells IAM that any user in the world can assume that role as long as they know the account ID + role name. 

In my testing, "Service": "ec2.amazonaws.com" is sufficiently permissive to allow the instance_profile to work without allowing global accesses.
This commit is contained in:
sethp-jive 2016-08-25 15:28:39 -07:00 committed by GitHub
parent ed3d61446b
commit 36d0e6690d
1 changed files with 3 additions and 1 deletions

View File

@ -27,7 +27,9 @@ resource "aws_iam_role" "role" {
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {"AWS": "*"},
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}